SSAE 16 is a revision to the outdated two-decade old standards for Reporting for Service Organization-SAS70, and strives to ensure that US companies remain compliant with ISAE 3402, the new international service organization reporting standards.
The primary aim of seeking SSAE 16 compliance is to ensure international competitiveness. With more and more companies opting to outsource their services, a major challenge is to ensure that the outsourced partner also adopts such standards. SSAE 16 recognizes this pressing need and offers SSAE 16 Level II, catering to outsourcing organizations that handle any data that affects the financial statement of SSAE 16 compliant firms. If the outsourcing partner, such as data centers handle information related to payroll processing, loan servicing, SaaS, medical claims processing and Network Monitoring Services, then it becomes imperative that the data center be SSAE 16 Type II compliant.
SSAE 16 Type II is in essence a flexible and adaptive annual commitment to reporting. Unlike most other standards, it is not prescriptive and comes with only a lightly enforced framework.
The SSAE 16 Type II Compliance Report mandates:
- A description of the systems adopted by the service provider
- The service provider’s assertion of the design and implementation of the system and controls in place for the specified period
- An assurance report from a service auditor
These specifications are open to interpretations by the service providers, auditors, and other stakeholders. There is no certification involved in SSAE 16 compliance, rather the auditor’s attests to the compliance.
Contrary to the popular perception, outsourcing is a tricky business and has much scope for misunderstandings and deviations from expectations. SSAE 16 Type II compliance resolves such confusions, by lending clarity to the business process. It offers assurance to investors that the controls adopted by the outsourcing partner are sound in nature. These reports also offers the groundwork for trust between the outsourcing provider and the client, assuring all stakeholders of the basic framework and standards at play.